35 lines
1.5 KiB
Markdown
35 lines
1.5 KiB
Markdown
# Identity Edge API
|
|
|
|
## Active External Protocol
|
|
|
|
- REST is the active external protocol for this BFF deployment.
|
|
- Internal service calls default to gRPC-adapted contracts.
|
|
|
|
## Entrypoints
|
|
|
|
- Canonical session endpoints:
|
|
- `POST /api/identity/session/login`
|
|
- `POST /api/identity/session/refresh`
|
|
- `POST /api/identity/session/logout`
|
|
- `GET /api/identity/session/me`
|
|
- Canonical OIDC endpoints:
|
|
- `GET /api/identity/oidc/google/start`
|
|
- `GET /api/identity/oidc/google/callback`
|
|
- Compatibility endpoint:
|
|
- `POST /api/identity/token`
|
|
- `POST /api/identity/login`
|
|
- `POST /api/identity/token/refresh`
|
|
- `POST /api/identity/logout`
|
|
|
|
## Boundary Notes
|
|
|
|
- Endpoint handlers perform edge validation and permission checks.
|
|
- Session login and refresh call canonical thalos-service session gRPC operations.
|
|
- OIDC start/callback handlers generate and validate PKCE/state/nonce payloads.
|
|
- Session cookies are managed at the BFF edge (`thalos_session`, `thalos_refresh`) with env-driven secure/domain policy.
|
|
- Callback failures are redirected back to the central auth UX with stable `authError` and `correlationId` query values instead of returning a raw provider-facing JSON payload.
|
|
- The temporary OIDC state cookie is cleared on both callback success and callback failure paths.
|
|
- Token issuance and policy evaluation contracts remain available for compatibility calls.
|
|
- Business orchestration remains in thalos-service.
|
|
- Identity abstractions remain owned by Thalos repositories.
|